All those options while increasing security, reduce convenience by potentially breaking certain things.
That’s why they’re provided as commented out by default.
You should be able to find plenty of info by googling them. If you don’t know what they are, you’re better off leaving them commented out. It’s up to you assess the risk before turning them on.
HSTS is a sledgehammer. Once turned on, it can and likely will break things and you can’t get rid of it by clearing the browser cache or using incognito.
sure, what I meant is maybe adding a couple of comments per line to broadly give further info the the passing user.
for example, I appreciate the new header to turn off Google’s FLoC, but what are the implications of such technology on a private website, e.g. with no ads?
what kind of things would it break?
I have been using SWAG, subfolders included, with HSTS enabled without any issues.
What you’re asking for would not be simple one liners due to the many possible scenarios. That’s why googling and researching them is recommended.
As a general rule, if you’re using SWAG to host a public website, like a company website and/or reverse proxy company nextcloud, etc. then turn all of those on for extra security.
But if you’re running a home lab where everything is behind something like Authelia and not publicly accessible, you don’t really need those.
With HSTS, once you turn it on, you can’t hit http sites anymore. So no more testing direct http connections like we recommend in this article, or apps that need http access like synclounge.